Skip to content

T1134.005 SID-History Injection

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. 1 An account can hold additional SIDs in the SID-History Active Directory attribute 2, allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values 3 may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, SMB/Windows Admin Shares, or Windows Remote Management.

Item Value
ID T1134.005
Sub-techniques T1134.001, T1134.002, T1134.003, T1134.004, T1134.005
Tactics TA0005, TA0004
Platforms Windows
Permissions required Administrator, SYSTEM
Version 1.0
Created 18 February 2020
Last Modified 09 February 2021

Procedure Examples

ID Name Description
S0363 Empire Empire can add a SID-History to a user if on a domain controller.12
S0002 Mimikatz Mimikatz‘s MISC::AddSid module can appended any SID or user/group account to a user’s SID-History. Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.1110

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration Clean up SID-History attributes after legitimate account migration is complete.

Detection

ID Data Source Data Component
DS0026 Active Directory Active Directory Object Modification
DS0009 Process OS API Execution
DS0002 User Account User Account Metadata

References